Owncloud
by OwnCloud
Source repositories
CVEs (135)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2016-7419 | Med | 0.35 | 5.4 | 0.01 | Sep 17, 2016 | Cross-site scripting (XSS) vulnerability in share.js in the gallery application in ownCloud Server before 9.0.4 and Nextcloud Server before 9.0.52 allows remote authenticated users to inject arbitrary web script or HTML via a crafted directory name. | ||
| CVE-2016-9462 | Med | 0.28 | 4.3 | 0.02 | Mar 28, 2017 | Nextcloud Server before 9.0.52 & ownCloud Server before 9.0.4 are not properly verifying restore privileges when restoring a file. The restore capability of Nextcloud/ownCloud was not verifying whether a user has only read-only access to a share. Thus a user with read-only… | ||
| CVE-2016-9461 | Med | 0.28 | 4.3 | 0.02 | Mar 28, 2017 | Nextcloud Server before 9.0.52 & ownCloud Server before 9.0.4 are not properly verifying edit check permissions on WebDAV copy actions. The WebDAV endpoint was not properly checking the permission on a WebDAV COPY action. This allowed an authenticated attacker with access to a… | ||
| CVE-2017-5866 | Med | 0.28 | 4.3 | 0.01 | Mar 3, 2017 | The autocomplete feature in the E-Mail share dialog in ownCloud Server before 8.1.11, 8.2.x before 8.2.9, 9.0.x before 9.0.7, and 9.1.x before 9.1.3 allows remote authenticated users to obtain sensitive information via unspecified vectors. | ||
| CVE-2016-1501 | Med | 0.28 | 4.3 | 0.02 | Jan 8, 2016 | ownCloud Server before 8.0.9 and 8.1.x before 8.1.4 allow remote authenticated users to obtain sensitive information via unspecified vectors, which reveals the installation path in the resulting exception messages. | ||
| CVE-2017-5865 | Low | 0.24 | 3.7 | 0.01 | Mar 3, 2017 | The password reset functionality in ownCloud Server before 8.1.11, 8.2.x before 8.2.9, 9.0.x before 9.0.7, and 9.1.x before 9.1.3 sends different error messages depending on whether the username is valid, which allows remote attackers to enumerate user names via a large number… | ||
| CVE-2016-1500 | Low | 0.20 | 3.1 | 0.01 | Jan 8, 2016 | ownCloud Server before 7.0.12, 8.0.x before 8.0.10, 8.1.x before 8.1.5, and 8.2.x before 8.2.2, when the "file_versions" application is enabled, does not properly check the return value of getOwner, which allows remote authenticated users to read the files with names starting… | ||
| CVE-2023-49105 | 0.07 | — | 0.11 | Nov 21, 2023 | An issue was discovered in ownCloud owncloud/core before 10.13.1. An attacker can access, modify, or delete any file without authentication if the username of a victim is known, and the victim has no signing-key configured. This occurs because pre-signed URLs can be accepted… | |||
| CVE-2014-2044 | 0.04 | — | 0.12 | Oct 6, 2014 | Incomplete blacklist vulnerability in ajax/upload.php in ownCloud before 5.0, when running on Windows, allows remote authenticated users to bypass intended access restrictions, upload files with arbitrary names, and execute arbitrary code via an Alternate Data Stream (ADS)… | |||
| CVE-2015-4716 | 0.02 | — | 0.25 | Oct 21, 2015 | Directory traversal vulnerability in the routing component in ownCloud Server before 7.0.6 and 8.0.x before 8.0.4, when running on Windows, allows remote attackers to reinstall the application or execute arbitrary code via unspecified vectors. | |||
| CVE-2023-49104 | 0.00 | — | 0.01 | Nov 21, 2023 | An issue was discovered in ownCloud owncloud/oauth2 before 0.6.1, when Allow Subdomains is enabled. An attacker is able to pass in a crafted redirect-url that bypasses validation, and consequently allows an attacker to redirect callbacks to a Top Level Domain controlled by the… | |||
| CVE-2022-31649 | 0.00 | — | 0.01 | Jun 9, 2022 | ownCloud owncloud/core before 10.10.0 Improperly Removes Sensitive Information Before Storage or Transfer. | |||
| CVE-2021-35946 | 0.00 | — | 0.01 | Sep 7, 2021 | A receiver of a federated share with access to the database with ownCloud version before 10.8 could update the permissions and therefore elevate their own permissions. | |||
| CVE-2021-29659 | 0.00 | — | 0.01 | May 20, 2021 | ownCloud 10.7 has an incorrect access control vulnerability, leading to remote information disclosure. Due to a bug in the related API endpoint, the attacker can enumerate all users in a single request by entering three whitespaces. Secondary, the retrieval of all users on a… | |||
| CVE-2020-36248 | 0.00 | — | 0.00 | Feb 19, 2021 | The ownCloud application before 2.15 for Android allows attackers to use adb to include a PIN preferences value in a backup archive, and consequently bypass the PIN lock feature by restoring from this archive. | |||
| CVE-2020-36250 | 0.00 | — | 0.00 | Feb 19, 2021 | In the ownCloud application before 2.15 for Android, the lock protection mechanism can be bypassed by moving the system date/time into the past. | |||
| CVE-2020-10252 | 0.00 | — | 0.01 | Feb 19, 2021 | An issue was discovered in ownCloud before 10.4. Because of an SSRF issue (via the apps/files_sharing/external remote parameter), an authenticated attacker can interact with local services blindly (aka Blind SSRF) or conduct a Denial Of Service attack. | |||
| CVE-2020-10254 | 0.00 | — | 0.02 | Feb 19, 2021 | An issue was discovered in ownCloud before 10.4. An attacker can bypass authentication on a password-protected image by displaying its preview. | |||
| CVE-2020-16255 | 0.00 | — | 0.01 | Jan 15, 2021 | ownCloud (Core) before 10.5 allows XSS in login page 'forgot password.' | |||
| CVE-2013-0203 | 0.00 | — | 0.01 | Nov 22, 2019 | Multiple cross-site scripting (XSS) vulnerabilities in ownCloud 4.5.5, 4.0.10, and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) unspecified parameters to apps/calendar/ajax/event/new.php or (2) url parameter to… |
- risk 0.35cvss 5.4epss 0.01
Cross-site scripting (XSS) vulnerability in share.js in the gallery application in ownCloud Server before 9.0.4 and Nextcloud Server before 9.0.52 allows remote authenticated users to inject arbitrary web script or HTML via a crafted directory name.
- risk 0.28cvss 4.3epss 0.02
Nextcloud Server before 9.0.52 & ownCloud Server before 9.0.4 are not properly verifying restore privileges when restoring a file. The restore capability of Nextcloud/ownCloud was not verifying whether a user has only read-only access to a share. Thus a user with read-only…
- risk 0.28cvss 4.3epss 0.02
Nextcloud Server before 9.0.52 & ownCloud Server before 9.0.4 are not properly verifying edit check permissions on WebDAV copy actions. The WebDAV endpoint was not properly checking the permission on a WebDAV COPY action. This allowed an authenticated attacker with access to a…
- risk 0.28cvss 4.3epss 0.01
The autocomplete feature in the E-Mail share dialog in ownCloud Server before 8.1.11, 8.2.x before 8.2.9, 9.0.x before 9.0.7, and 9.1.x before 9.1.3 allows remote authenticated users to obtain sensitive information via unspecified vectors.
- risk 0.28cvss 4.3epss 0.02
ownCloud Server before 8.0.9 and 8.1.x before 8.1.4 allow remote authenticated users to obtain sensitive information via unspecified vectors, which reveals the installation path in the resulting exception messages.
- risk 0.24cvss 3.7epss 0.01
The password reset functionality in ownCloud Server before 8.1.11, 8.2.x before 8.2.9, 9.0.x before 9.0.7, and 9.1.x before 9.1.3 sends different error messages depending on whether the username is valid, which allows remote attackers to enumerate user names via a large number…
- risk 0.20cvss 3.1epss 0.01
ownCloud Server before 7.0.12, 8.0.x before 8.0.10, 8.1.x before 8.1.5, and 8.2.x before 8.2.2, when the "file_versions" application is enabled, does not properly check the return value of getOwner, which allows remote authenticated users to read the files with names starting…
- CVE-2023-49105Nov 21, 2023risk 0.07cvss —epss 0.11
An issue was discovered in ownCloud owncloud/core before 10.13.1. An attacker can access, modify, or delete any file without authentication if the username of a victim is known, and the victim has no signing-key configured. This occurs because pre-signed URLs can be accepted…
- CVE-2014-2044Oct 6, 2014risk 0.04cvss —epss 0.12
Incomplete blacklist vulnerability in ajax/upload.php in ownCloud before 5.0, when running on Windows, allows remote authenticated users to bypass intended access restrictions, upload files with arbitrary names, and execute arbitrary code via an Alternate Data Stream (ADS)…
- CVE-2015-4716Oct 21, 2015risk 0.02cvss —epss 0.25
Directory traversal vulnerability in the routing component in ownCloud Server before 7.0.6 and 8.0.x before 8.0.4, when running on Windows, allows remote attackers to reinstall the application or execute arbitrary code via unspecified vectors.
- CVE-2023-49104Nov 21, 2023risk 0.00cvss —epss 0.01
An issue was discovered in ownCloud owncloud/oauth2 before 0.6.1, when Allow Subdomains is enabled. An attacker is able to pass in a crafted redirect-url that bypasses validation, and consequently allows an attacker to redirect callbacks to a Top Level Domain controlled by the…
- CVE-2022-31649Jun 9, 2022risk 0.00cvss —epss 0.01
ownCloud owncloud/core before 10.10.0 Improperly Removes Sensitive Information Before Storage or Transfer.
- CVE-2021-35946Sep 7, 2021risk 0.00cvss —epss 0.01
A receiver of a federated share with access to the database with ownCloud version before 10.8 could update the permissions and therefore elevate their own permissions.
- CVE-2021-29659May 20, 2021risk 0.00cvss —epss 0.01
ownCloud 10.7 has an incorrect access control vulnerability, leading to remote information disclosure. Due to a bug in the related API endpoint, the attacker can enumerate all users in a single request by entering three whitespaces. Secondary, the retrieval of all users on a…
- CVE-2020-36248Feb 19, 2021risk 0.00cvss —epss 0.00
The ownCloud application before 2.15 for Android allows attackers to use adb to include a PIN preferences value in a backup archive, and consequently bypass the PIN lock feature by restoring from this archive.
- CVE-2020-36250Feb 19, 2021risk 0.00cvss —epss 0.00
In the ownCloud application before 2.15 for Android, the lock protection mechanism can be bypassed by moving the system date/time into the past.
- CVE-2020-10252Feb 19, 2021risk 0.00cvss —epss 0.01
An issue was discovered in ownCloud before 10.4. Because of an SSRF issue (via the apps/files_sharing/external remote parameter), an authenticated attacker can interact with local services blindly (aka Blind SSRF) or conduct a Denial Of Service attack.
- CVE-2020-10254Feb 19, 2021risk 0.00cvss —epss 0.02
An issue was discovered in ownCloud before 10.4. An attacker can bypass authentication on a password-protected image by displaying its preview.
- CVE-2020-16255Jan 15, 2021risk 0.00cvss —epss 0.01
ownCloud (Core) before 10.5 allows XSS in login page 'forgot password.'
- CVE-2013-0203Nov 22, 2019risk 0.00cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in ownCloud 4.5.5, 4.0.10, and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) unspecified parameters to apps/calendar/ajax/event/new.php or (2) url parameter to…
Page 2 of 7